[Samba] Upgrade to 4.20: Not resetting nTSecurityDescriptor

Daniel Müller mueller at tropenklinik.de
Mon Apr 15 05:53:16 UTC 2024 

I did it:
root at dom2:~# samba-tool dbcheck --fix
Checking 705 objects
Reset nTSecurityDescriptor on CN=Deleted Objects,DC=tlk,DC=loc back to provision                                   default?
        Owner mismatch: SY (in ref) DA(in current)
        Group mismatch: SY (in ref) DA(in current)
        Part dacl is different between reference and current here is the detail:
                (A;;LCRPLORC;;;AU) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the r                                  eference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the r                                  eference
                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
                (A;;LCRP;;;BA) ACE is not present in the current
 [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=tlk,DC=loc'

Checked 705 objects (1 errors)



root at dom2:~# samba-tool dbcheck --cross-ncs
Checking 4506 objects
Not resetting nTSecurityDescriptor on CN=Deleted Objects,CN=Configuration,DC=tlk,DC=loc

Not resetting nTSecurityDescriptor on CN=Deleted Objects,DC=DomainDnsZones,DC=tlk,DC=loc

Not resetting nTSecurityDescriptor on CN=Deleted Objects,DC=ForestDnsZones,DC=tlk,DC=loc

Checked 4506 objects (3 errors)
Please use 'samba-tool dbcheck --fix' to fix 3 errors
root at dom2:~# samba-tool dbcheck --fix
Checking 705 objects
Checked 705 objects (0 errors)

But the next "samba-tool dbcheck --cross-ncs" shows the same three errors again!?

Greetings
Daniel

Von: Andrew Bartlett [mailto:abartlet at samba.org] 
Gesendet: Samstag, 13. April 2024 10:38
An: mueller at tropenklinik.de; samba samba <samba at lists.samba.org>
Betreff: Re: [Samba] Upgrade to 4.20: Not resetting nTSecurityDescriptor

On Fri, 2024-04-12 at 08:03 +0200, Daniel Müller via samba wrote:
Hello to all,

After updating to samba 4.20 (from samba 4.19) on Debian 11, samba-tool
dbcheck --cross-ncs
results in:
samba-tool dbcheck --cross-ncs
Checking 4499 objects
Not resetting nTSecurityDescriptor on CN=Deleted
Objects,CN=Configuration,DC=tlk,DC=loc
Not resetting nTSecurityDescriptor on CN=Deleted
Objects,DC=DomainDnsZones,DC=tlk,DC=loc
Not resetting nTSecurityDescriptor on CN=Deleted
Objects,DC=ForestDnsZones,DC=tlk,DC=loc
Not resetting nTSecurityDescriptor on CN=Deleted Objects,DC=tlk,DC=loc

Checked 4499 objects (4 errors)
Please use 'samba-tool dbcheck --fix' to fix 4 errors

Do I have to perform samba-tool dbcheck --fix, though this server is the
second and the master still is running samba 4.19!?

Yes, you can reset this SD.  I've checked the code and we only improved dbcheck, we didn't make a matching change to the C code. 

Andrew Bartlett

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba

More information about the samba mailing list